Skip to content

Insufficient validation when decoding a Socket.IO packet

High severity GitHub Reviewed Published May 22, 2023 in socketio/socket.io-parser • Updated Nov 11, 2023

Package

npm socket.io-parser (npm)

Affected versions

>= 3.4.0, < 3.4.3
>= 4.0.4, < 4.2.3

Patched versions

3.4.3
4.2.3

Description

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

TypeError: Cannot convert object to primitive value
       at Socket.emit (node:events:507:25)
       at .../node_modules/socket.io/lib/socket.js:531:14

Patches

A fix has been released today (2023/05/22):

socket.io version socket.io-parser version Needs minor update?
4.5.2...latest ~4.2.0 (ref) npm audit fix should be sufficient
4.1.3...4.5.1 ~4.1.1 (ref) Please upgrade to socket.io@4.6.x
3.0.5...4.1.2 ~4.0.3 (ref) Please upgrade to socket.io@4.6.x
3.0.0...3.0.4 ~4.0.1 (ref) Please upgrade to socket.io@4.6.x
2.3.0...2.5.0 ~3.4.0 (ref) npm audit fix should be sufficient

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

  • Open a discussion here

Thanks to @rafax00 for the responsible disclosure.

References

@darrachequesne darrachequesne published to socketio/socket.io-parser May 22, 2023
Published to the GitHub Advisory Database May 23, 2023
Reviewed May 23, 2023
Published by the National Vulnerability Database May 27, 2023
Last updated Nov 11, 2023

Severity

High
7.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Weaknesses

CVE ID

CVE-2023-32695

GHSA ID

GHSA-cqmj-92xf-r6r9

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.